Documente Academic
Documente Profesional
Documente Cultură
An IronKey Whitepaper
February 2007
Information Depth:
Technical
Introduction
Portable storage devices are a popular way to transport files between computers and to
backup important information. However, the ubiquity of these devices heightens the security
concerns of carrying confidential data. It is important to prevent confidential information from
falling into the hands of unauthorized users should a device be lost or stolen. Encryption can
be an effective way to protect the privacy of sensitive corporate and personal data.
While software encryption programs can help protect data and provide a good first line of
defense, they are vulnerable to a number of decryption attacks. Hardware-based encryption
offers a stronger defense against the same threat models, and is now available on a new gener-
ation of portable data security and authentication devices from IronKey. This paper examines
IronKey’s data encryption capabilities, compares the competing software and hardware-based
approaches, and analyzes their effectiveness against various threat models.
Encryption Algorithms
The IronKey Cryptochip Typically a government approved strong encryption algorithm such as AES is used for both
uses government-ap- hardware and software-based encryption. Since 128-bit key lengths will protect data from
proved AES CBC-mode brute force decryption attacks for the foreseeable future, IronKey devices implement standard,
128-bit encryption. government-approved AES CBC-mode 128-bit encryption. This encryption is implemented in
hardware and can not be tampered with or disabled.
Some software implementations may try to defend against brute force attacks by maintain-
ing a counter that tracks the number of times an incorrect password was entered. This can
be easily defeated by a memory rewind attack. To do this, the attacker makes a copy of the
encrypted data and the encryption software’s temporary files before beginning the brute force
attack. The attacker simply re-instates the original files after every password-guessing attempt.
This makes it impossible for the software implementation to prevent brute force password or
key guessing attacks. Many hardware-based encryption systems are also vulnerable to these
types of attacks if they store a counter in the flash memory. The attacker simply re-winds the
counter after every attack.
© 2007 IronKey, Inc. All rights reserved.
IronKey devices use a separate cryptographic processor with its own internal password
The IronKey Cryptochip guessing counter. This counter is not stored in the flash memory, so it is not vulnerable to
utilizes an internal memory rewind attacks. This cryptographic processor is hardened against power attacks, bus
sniffing, etc. It is impossible to physically tamper with or reset the counter. Once the counter
password counter that
has reached a pre-defined limit, the encryption keys are destroyed by the processor, and the
cannot be tampered
stored encrypted files are permanently inaccessible.
with or reset.
The www.distributed.net organization has been operating parallel offline attacks as research
projects for many years. Today, malicious attackers can scale up this approach and put tens
of thousands of computers to work guessing passwords. It is not uncommon to find botnets
(“roBOT NETworks”) of hijacked PCs (“zombies”) on the Internet for rent. For a small fee, an
attacker could potentially have 10,000 to 100,000 PCs cracking a password or key in parallel.
A properly implemented hardware-based encryption device can help prevent such attacks by
The IronKey Cryptochip not mounting the device onto a PC until the correct password has been entered. Thus an
is permanently set in a unauthorized user cannot copy the contents of the drive onto a PC for replication to a botnet.
Some hardware devices could still be vulnerable to a parallel offline attack if the attacker can
solid metal casing filled
disassemble the device, remove the flash memory chips, and install them onto a device of his
with a tamper-resistant
own manufacture. This could allow the attacker to copy the contents of the memory chips
potting material. onto his PC for replication to a botnet. IronKey devices make this kind of attack very difficult
due to their tamper-resistant casing and board-level potting. This process makes it extremely
difficult to get the memory chips off the printed circuit board without destroying them in the
process.
Security Updates
IronKey digitally signs It is fairly common for software and firmware to be updated by the manufacturer on a peri-
all updates, ensuring the odic basis. It is convenient for users to download these updates over the Internet. IronKey
authenticity of firm- devices verify the authenticity of these updates by checking digital signatures before installing
ware upgrades. the firmware upgrades. This checking is done in hardware, thus preventing malicious code
from being executed on the device. Software implementations can check signatures of update
files; however, the signature checking could be compromised and modified by malicious soft-
ware on the PC.
Speed
IronKey devices are op- In addition to much better security, hardware-based encryption has other benefits for users.
timized for high-speed Software based encryption typically runs much more slowly than hardware-based encryption.
data transfer, reading up IronKey devices are specially optimized for high-speed data transfer, performing at the top of
to 30MBps and writing their class by reading data at up to 30 megabytes per second and writing data up to 20 mega-
up to 20MBps. bytes per second (numbers generated from Intel’s Iometer performance measurement tool).
Conclusion
Hardware-based encryption, when implemented in a secure manner, is demonstrably superior
to software-based encryption. That being said, hardware-based encryption products can also
vary in the level of protection they provide against brute force rewind attacks, offline parallel
attacks, or other cryptanalysis attacks.
IronKey devices address the threat models described in this whitepaper. Password brute force
guessing is prevented, and a variety of two-factor authentication protocols are provided. The
physical security features of the devices protect against disassembly, rewind attacks and offline
parallel attacks. IronKey devices provide fast, strong, and always-on encryption that mitigates
the security concerns of transporting confidential data.
References
Find more information Bruce Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C, 2nd Ed, 1996, John Wiley & Sons, Inc.
about IronKey online at: Definition of Brute Force Attack, Wikipedia, http://en.wikipedia.org/wiki/Brute_force_attack
www.ironkey.com FIPS PUB 140-2 Federal Information Processing Standards Publication – Security Requirements for Cryptographic Mod-
ules, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
IronKey, Inc. FIPS PUB 197 Federal Information Processing Standards Publication – Announcing the Advanced Encryption Standard
5150 El Camino Real, Suite C31 (AES). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Los Altos, CA 94022 USA Joan Daemen,Vincent Rijmen, The Design of Rijndael: AES – The Advanced Encryption Standard, 2002, Springer-Verlag
+1 (650) 492-4055 Berlin Heidelberg.
info@ironkey.com Niels Ferguson, Bruce Schneier, Practical Cryptography, 2003, John Wiley & Sons.
Secure Encryption Challenged by Internet-Linked Computers, Oct. 22, 1997, http://distributed.net/pressroom/56-PR.html
The information contained in this document represents the current view of IronKey on the issue discussed as of the date of publication. IronKey cannot
guarantee the accuracy of any information presented after the date of publication. This whitepaper is for information purposes only. IronKey makes no warran-
ties, expressed or implied, in this document. IronKey and the IronKey logo are trademarks of IronKey, Inc. in the United States and other countries. All other
trademarks are the properties of their respective owners. © 2007 IronKey, Inc. All rights reserved. IK0030270